Northwest Mountain Region
- Subject:
- AVIATION WEATHER, NOTAM AND AERONAUTICAL DATA INTERNET PROVIDER STANDARDS
- Initiated by: ARW-100 Change: v 0.13
- Date: November 16, 2000
1. PURPOSE. This Advisory Circular (AC) establishes standards for Qualified Internet Providers which disseminate aviation weather, Notice to Airmen (NOTAM) and aeronautical data via the Public Internet to designated aviation users. This AC also establishes procedures for the Federal Aviation Administration (FAA) to determine the qualification of Qualified Internet Providers.
Any person or organization is eligible to become a Qualified Internet Provider by demonstrating compliance with the standards established within this AC. A current list of all Qualified Internet Providers will be maintained by the FAA Aviation Weather Standards Division (ARW-200) and disseminated to all Principal Operations Inspectors (POIs). [Possible develop a web page to make sure it is open to all parties interested also look on the second to last page par e.1 last sentence]
Persons required to operate under operations specifications (such as Air Carriers and Air Operators under 14 CFR Part 119) must use Approved Aviation Weather Sources for operational purposes. This AC does not address the approval of such sources as guidance for that matter is found in FAA Order 8400.10, Air Transportation Operations Inspector�s Handbook, Volume 3, Chapter 7. Qualified Internet Providers, who are also Approved Aviation Weather Sources, are qualified to provide weather, NOTAM and aeronautical data to designated air carrier users for regulated operations. �
This AC does not apply to Intranet (internal Internet) dissemination and communications systems maintained by an operator. These systems are described in the accepted General Operations Manual and/or described in the Operations Specifications issued by the certificate holding district office. [This has to be reworded that this refers to only Intranet does not apply to only an internal communication system both Catey and Gardner feel this is not clear]�
Like all advisory material, this AC is not mandatory and does not constitute a regulation. Definitions used in this AC are contained in Appendix 1.
2. STANDARDS. A person or organization may be designated as a Qualified Internet Provider by meeting and maintaining the following dissemination system standards as these pertain to the provider's facility (i.e., all hardware, software, and Internet connectivity under the applicant�s direct control):�
a. Reliability means users are able to retrieve requested products or data from the provider without a single outage lasting longer than 10 minutes, and no more than 30 minutes of total outages (including outages due to maintenance) in any continuous 3-month period.
b. Accessibility means turnaround time within the provider's facility. The provider should be capable of completing one session with 100% of its users within 2 minutes.
Figure 1: Illustration of a Session�
c. Security means maintaining session data integrity and two-way non-repudiation. To enable digital signature and user (i.e., recipient of data) authentication, the provider shall establish a digital signature technology license agreement as documented by a contract with a Public Key Infrastructure. In addition, the provider shall establish and implement security practices to minimize unauthorized access to or modification of provider data, software and hardware.
1) Use of the public Internet carries certain risks to both Qualified Internet Providers and to end-users. Below are some of the more common risks:
a) The user receives intentionally corrupted data from a bogus source instead of original data from a valid source, not detecting the difference. The bogus source captured the original data en route and replaced it with intentionally corrupted data.
b) The user receives forged or fake data that purports to be from a valid source but is actually generated by a bogus source.
c) The user gets original data from a valid source, but it is inaccurate; it causes a problem in the user�s operation and, subsequently, the source denies sending it in order to avoid culpability for the user�s loss.
d) The user gets original data from a valid source, fails to use it or misuses it, gets into trouble as a result and, subsequently, denies ever getting the data in order to shift the blame back to the provider.2) To mitigate these risks, session data must be protected by digital signature and by user (recipient of data) authentication. These two capabilities together provide data integrity and non-repudiatable authentication of the service provider.
3. RECOMMENDED PRACTICES.
Qualified Internet Providers should maintain a retrievable archive of data received and provided in each session for a period of no less than 15 days after the date of that session. In the event of receipt of notification of an accident, incident or overdue aircraft, or upon the request of the FAA or the National Transportation Safety Board (NTSB), the provider should retain the data related to that aircraft indefinitely, or until such time that the provider is notified by the FAA or NTSB that it may be destroyed. �The Qualified Internet Provider should make this data available in the form of a readable certified true copy upon request of the FAA, the NTSB or a Federal, state or local law enforcement.
With the increasing availability of developmental weather products and other aeronautical information, Qualified Internet Providers are encouraged to clearly identify the approval status of each product. This may be done by partitioning the Web site, by grouping products, or by labeling each individual product. Users are encouraged to require such identification by Qualified Internet Providers.
3. 4. PROCESS FOR QUALIFICATION. As illustrated by Figure 2 below, for a provider to be eligible to be cited in an Air Carrier�s Operations Specification, paragraph A10, for Internet dissemination, a provider must be both a Qualified Internet Provider and an Approved Aviation Weather Source in accordance with FAA Order 8400.10. This section describes how a provider can become a Qualified Internet Provider.�
Figure 2: Process for Becoming a Qualified Internet Provider
a. Steps to Becoming a Qualified Internet Provider. Qualified Internet Providers are responsible for demonstrating full adherence to the Aviation Weather, NOTAM and Aeronautical Data Internet Provider Standards described in paragraph 2 above. To become a Qualified Internet Provider, applicants must:
1) Submit a letter of application to ARW-200 with the following attachments:
a) Service Description
b) Capability Demonstration Plan
c) Ongoing Compliance Plan
d) Documentation of a satisfactory digital signature and user authentication technology, or appropriate license agreement.
e) Security Practices2) Satisfactorily complete the required Capability Demonstration.
b. Attachments to the Letter of Application
1) Service Description: Describes how the applicant intends to meet the Aviation Weather, NOTAM and Aeronautical Data Internet Provider Standards and (optionally) the Recommended Practices. The Service Description should include, but is not limited to the following items:
a) Servers: size, capacity and throughput of each
b) Intended user(s) or user class(es) (e.g., general aviation, air carrier), estimated number of each
c) Product list
d) Source of products
e) Proposed server architecture
f) Network management software
g) Data archival (optional)
h) Identification of product approval status (optional)2) Capability Demonstration Plan: Describes how the applicant will demonstrate compliance with the standards and (optionally) the Recommended Practices, usually through a trial period of operations. An alternate method of compliance may be accepted by ARW-200 upon request of the applicant (e.g., documentation of prior Internet site performance). The Demonstration Plan should contain at least the following:
a) Primary points of contact for the demonstration
b) Period of time, including starting and completion dates
c) Performance statistics to be collected during the demonstration. (Note: These statistics could be collected using the same process as in paragraph 4.b.3)c) below.)
d) Proposed reporting format3) Ongoing Compliance Plan: Describes how the applicant will ensure ongoing compliance with these standards. This plan should include at least the following:
a) The names, titles and resumes of responsible personnel, and their duties, responsibilities and authorities
b) System maintenance procedures, including contracts and/or in-house capabilities
c) Quality Assurance Plan describing the process to collect and maintain performance statistics for these standards, and to provide them to ARW-200 semiannually or upon request
d) Quality of Service (QOS) agreements with each user or user class, specifying that these standards will be met. QOS agreements will include a requirement for Part 121/135 users to report any violation of the QOS to ARW-200.4) Digital Signature and User Authentication System Documentation: Verifies the applicant
has a satisfactory digital signature and user authentication capability by either:a) Providing verification of a digital signature and user authentication technology license issued by the licensor, or
b) Providing evidence of a satisfactory digital signature capability within the applicant�s dissemination system�5) Security Practices: Describes how the applicant will minimize unauthorized access to or modification of applicant's data, software or hardware.
c. Application Review. Upon receipt of the application, ARW-200 will acknowledge receipt, review for conformance to the standards provided in paragraph 2 of this AC, and advise the applicant in writing of its findings no later than 30 days from receipt. If the application does not meet standards, ARW-200 will return the submission to the applicant with recommendations for revision. If the application meets standards, ARW-200 will notify the applicant to proceed with its capability demonstration.�
d. Capability Demonstration. Upon receiving notification to proceed, the applicant shall demonstrate its Internet dissemination capability, usually by means of a trial period. During the trial period, the provider's Web site will be fully operational. During and after the trial period, the applicant will report test results to ARW-200 to document conformity with the standards contained in this AC.
e. Application Disposition
1) Upon successful completion of the capability demonstration, ARW-200 will issue a letter approving the applicant as a Qualified Internet Provider and add the applicant to the list of Qualified Internet Providers maintained by ARW-200. ARW-200 will disseminate the updated list to all POIs.�
2) Should the applicant fail to meet any standard contained in this AC, ARW-200 will issue a Letter of Denial, indicating the area(s) of non-compliance. The form and content of any subsequent re-application will be defined in the Letter of Denial.
5. ONGOING COMPLIANCE
Qualified Internet Data Providers shall demonstrate ongoing compliance by collecting facility performance statistics for these standards and providing them to ARW-200 semiannually or upon request (e.g., following ARW-200 notification of a QOS violation). ARW-200 and Qualified Internet Providers will collaborate to resolve identified problems in order to bring facilities back to standard.
Failure of a Qualified Internet Data Provider to comply with these standards may result in the removal of the provider from the list of Qualified Internet Data Providers. If so, ARW-200 will disseminate an updated list to all POIs.
6. ADDITIONAL INFORMATION
Questions or comments concerning this AC should be directed to:
FAA, Aviation Weather Directorate
Policy Division (ARW-100)
400 7th Street, SW, Room 8326
Washington, DC 20591(202) 493-0270APPENDIX 1. Definitions of terms
This appendix contains definitions of terms used throughout this AC.
Aeronautical Data Data that is non-controlling to ongoing flight operations, is advisory in nature and is non-time critical. Approved Aviation Weather Sources Persons or organizations identified in FAA Order 8400.10, Air Transportation Operations Inspector�s Handbook, Volume 3, Chapter 7, as approved sources of weather information. These entities create approved aviation weather products (such as a report or forecast). Facility All hardware, software, and Internet connectivity under the provider's direct control. NOTAM Aeronautical information that could affect a pilot�s decision to make a flight. It includes such information as airport or primary runway closures, changes in the status of navigational aids, radar service availability, and other information essential to planned en route, terminal or landing operations. Provider A person or organization (including a government agency) which supplies aviation weather, NOTAM and aeronautical information to a user. Public Internet Any and/or all of the Internet sites that are accessible by any Internet connection. A distinguishing feature is its use of a set of protocols called TCP/IP (Transmission Control Protocol/Internet Protocol). Session A complete transaction between the user and provider, beginning when the user's request arrives at the provider's facility and ending when the provider's reply leaves the facility. User A person or organization that requests and receives aviation weather, NOTAM and aeronautical data from a provider.
| MAIN INDEX | INFORMATION | CONSTITUTION | PRESS RELEASES |
| RECENT UPDATES | NEWSLETTERS | CONTRACT | POLITICS |
| RENAISSANCE | NEWS ARTICLES | FACREP HELPS | HUMOR |
| MY NOTES | LETTERS to MEMBERS | LINKS | NATIONAL/REGIONAL REPS |